Anyconnect clients establish VPN tunnels to firewall and are authenticated using an AD . For AD, the ASA sends the authentication request to ISE which is integrated with AD. Clients are associated to different group-policies depending on which AD group they belong to.
We would like to add machine authentication to this, is is possible to additionally check that the client machine is also present and active in AD?
To configure machine authentication in Cisco ISE (Identity Services Engine), follow these steps:
1. Log in to the Cisco ISE admin portal.
2. Go to "Administration" > "Identity Management" > "Identity Sources".
3. Click "Add" and select "Active Directory" (or your desired identity source).
4. Configure the identity source settings (e.g., domain, username, password).
5. Go to "Policy" > "Authentication" > "Machine Authentication".
6. Click "Add" and select the desired authentication protocol (e.g., EAP-TLS, PEAP).
7. Configure the authentication settings (e.g., certificate requirements, authentication order).
8. Go to "Policy" > "Authorization" > "Machine Authorization".
9. Click "Add" and select the desired authorization policy (e.g., permit or deny access).
10. Configure the authorization settings (e.g., conditions, permissions).
11. Go to "Administration" > "Network Resources" > "Network Devices".
12. Click "Add" and select the device type (e.g., switch, router).
13. Configure the device settings (e.g., IP address, authentication protocol).
14. Save and apply the changes.
This configuration enables machine authentication in Cisco ISE, allowing devices to authenticate and authorize access to the network.